Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 20 replies
  • Subscribers 2 subscribers
  • Views 19783 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

urgent help needed: need to find out the throtle during a ddos attack.

howit
Hello everybody,

I've been under DDOS attack the past few days... i've done lots of things, and the IDC is helping us by disabling the IP on the border when the bandwith reachs the threshold... and to turn the downtime around i assigned several different public ips and rotate them... it's working fine...

the problem i'm having now is: when i receive an attack, astaro detects the attacks, and all my network loses packets until the border disables the IP.


Now I'm struggling to find out what the bottleneck is..

any clue?

Also im trying to figure out a way to disable the IP in case of attack, it would cease the attack imediately without compromising the whole structure..


thanks


This thread was automatically locked due to age.
Parents
  • 0
    Hi, you may need to limit logging and alerting.

    Barry
  • 0 in reply to BarryG
    thanks for the replies..

    some info:

    as CPU and MEM are not overused during the attacks.

    Live Log: Intrusion Prevention System
    Filter:
    Autoscroll
    2014:05:21-20:28:26 huanis ulogd[5625]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="c4:71:fe:32:cd:40" dstmac="0:21:9b:fc:13:89" srcip="202.162.210.2" dstip="179.X.X.X" proto="17" length="468" tos="0x00" prec="0x00" ttl="52" srcport="123" dstport="53"
    2014:05:21-20:28:26 huanis ulogd[5625]: id="2104" severity="info" sys="SecureNet" sub="ips" name="ICMP flood detected" action="ICMP flood" fwrule="60014" initf="eth1" srcmac="c4:71:fe:32:cd:40" dstmac="0:21:9b:fc:13:89" srcip="203.113.25.29" dstip="179.X.X.X" proto="1" length="64" tos="0x00" prec="0x00" ttl="53" type="3" code="3"
    2014:05:21-20:28:26 huanis ulogd[5625]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="c4:71:fe:32:cd:40" dstmac="0:21:9b:fc:13:89" srcip="202.162.210.14" dstip="179.X.X.X" proto="17" length="468" tos="0x00" prec="0x00" ttl="51" srcport="123" dstport="53"
    2014:05:21-20:28:27 huanis ulogd[5625]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="c4:71:fe:32:cd:40" dstmac="0:21:9b:fc:13:89" srcip="222.207.246.37" dstip="179.X.X.X" proto="17" length="468" tos="0x00" prec="0x00" ttl="44" srcport="123" dstport="53"
    2014:05:21-20:28:27 huanis ulogd[5625]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="c4:71:fe:32:cd:40" dstmac="0:21:9b:fc:13:89" srcip="222.207.246.37" dstip="179.X.X.X" proto="17" length="468" tos="0x00" prec="0x00" ttl="44" srcport="123" dstport="53"
    2014:05:21-20:28:27 huanis ulogd[5625]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="c4:71:fe:32:cd:40" dstmac="0:21:9b:fc:13:89" srcip="222.207.246.37" dstip="179.X.X.X" proto="17" length="468" tos="0x00" prec="0x00" ttl="44" srcport="123" dstport="53"
    2014:05:21-20:28:27 huanis ulogd[5625]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="c4:71:fe:32:cd:40" dstmac="0:21:9b:fc:13:89" srcip="222.207.246.37" dstip="179.X.X.X" proto="17" length="468" tos="0x00" prec="0x00" ttl="44" srcport="123" dstport="53"
    2014:05:21-20:28:27 huanis ulogd[5625]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="c4:71:fe:32:cd:40" dstmac="0:21:9b:fc:13:89" srcip="222.207.246.37" dstip="179.X.X.X" proto="17" length="468" tos="0x00" prec="0x00" ttl="44" srcport="123" dstport="53"
    2014:05:21-20:28:28 huanis ulogd[5625]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="c4:71:fe:32:cd:40" dstmac="0:21:9b:fc:13:89" srcip="222.207.246.37" dstip="179.X.X.X" proto="17" length="468" tos="0x00" prec="0x00" ttl="44" srcport="123" dstport="53"
    2014:05:21-20:28:28 huanis ulogd[5625]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="c4:71:fe:32:cd:40" dstmac="0:21:9b:fc:13:89" srcip="222.207.246.37" dstip="179.X.X.X" proto="17" length="468" tos="0x00" prec="0x00" ttl="44" srcport="123" dstport="53"





    one thing i noticed.... i have an external gateway, during the attacks, i can ping the gateway normally, but everything inside astaro loses packets, including the wan ip...


    from the graphics it seems astaro is not letting the packet go through to the internal net.


    any other info i can provide to help you guys help me ?
Reply
  • 0 in reply to BarryG
    thanks for the replies..

    some info:

    as CPU and MEM are not overused during the attacks.

    Live Log: Intrusion Prevention System
    Filter:
    Autoscroll
    2014:05:21-20:28:26 huanis ulogd[5625]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="c4:71:fe:32:cd:40" dstmac="0:21:9b:fc:13:89" srcip="202.162.210.2" dstip="179.X.X.X" proto="17" length="468" tos="0x00" prec="0x00" ttl="52" srcport="123" dstport="53"
    2014:05:21-20:28:26 huanis ulogd[5625]: id="2104" severity="info" sys="SecureNet" sub="ips" name="ICMP flood detected" action="ICMP flood" fwrule="60014" initf="eth1" srcmac="c4:71:fe:32:cd:40" dstmac="0:21:9b:fc:13:89" srcip="203.113.25.29" dstip="179.X.X.X" proto="1" length="64" tos="0x00" prec="0x00" ttl="53" type="3" code="3"
    2014:05:21-20:28:26 huanis ulogd[5625]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="c4:71:fe:32:cd:40" dstmac="0:21:9b:fc:13:89" srcip="202.162.210.14" dstip="179.X.X.X" proto="17" length="468" tos="0x00" prec="0x00" ttl="51" srcport="123" dstport="53"
    2014:05:21-20:28:27 huanis ulogd[5625]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="c4:71:fe:32:cd:40" dstmac="0:21:9b:fc:13:89" srcip="222.207.246.37" dstip="179.X.X.X" proto="17" length="468" tos="0x00" prec="0x00" ttl="44" srcport="123" dstport="53"
    2014:05:21-20:28:27 huanis ulogd[5625]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="c4:71:fe:32:cd:40" dstmac="0:21:9b:fc:13:89" srcip="222.207.246.37" dstip="179.X.X.X" proto="17" length="468" tos="0x00" prec="0x00" ttl="44" srcport="123" dstport="53"
    2014:05:21-20:28:27 huanis ulogd[5625]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="c4:71:fe:32:cd:40" dstmac="0:21:9b:fc:13:89" srcip="222.207.246.37" dstip="179.X.X.X" proto="17" length="468" tos="0x00" prec="0x00" ttl="44" srcport="123" dstport="53"
    2014:05:21-20:28:27 huanis ulogd[5625]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="c4:71:fe:32:cd:40" dstmac="0:21:9b:fc:13:89" srcip="222.207.246.37" dstip="179.X.X.X" proto="17" length="468" tos="0x00" prec="0x00" ttl="44" srcport="123" dstport="53"
    2014:05:21-20:28:27 huanis ulogd[5625]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="c4:71:fe:32:cd:40" dstmac="0:21:9b:fc:13:89" srcip="222.207.246.37" dstip="179.X.X.X" proto="17" length="468" tos="0x00" prec="0x00" ttl="44" srcport="123" dstport="53"
    2014:05:21-20:28:28 huanis ulogd[5625]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="c4:71:fe:32:cd:40" dstmac="0:21:9b:fc:13:89" srcip="222.207.246.37" dstip="179.X.X.X" proto="17" length="468" tos="0x00" prec="0x00" ttl="44" srcport="123" dstport="53"
    2014:05:21-20:28:28 huanis ulogd[5625]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="c4:71:fe:32:cd:40" dstmac="0:21:9b:fc:13:89" srcip="222.207.246.37" dstip="179.X.X.X" proto="17" length="468" tos="0x00" prec="0x00" ttl="44" srcport="123" dstport="53"





    one thing i noticed.... i have an external gateway, during the attacks, i can ping the gateway normally, but everything inside astaro loses packets, including the wan ip...


    from the graphics it seems astaro is not letting the packet go through to the internal net.


    any other info i can provide to help you guys help me ?
Children
  • 0 in reply to howit

    as CPU and MEM are not overused during the attacks.


    How fast are the logs filling up? If too high, the disk could be overloaded.

    Otherwise, as mentioned, your internet connection is overloaded.

    Barry